最近在学习安卓漏挖,在分析ghera数据集时发现一个很有意思的binder特性,但还没搞懂底层原理,先挖个坑
漏洞分析
EnforceCallingOrSelfPermission-PrivilegeEscalation-Lean
以下代码使用Binder.getCallingPid()和Binder.getCallingUid()对调用方进行了权限检查
// MyService.java
public int onStartCommand(Intent intent, int flags, int startId) {Log.d("MyService", "Calling PID = " + Binder.getCallingPid() + " Calling UID = " + Binder.getCallingUid());if (checkPermission("santos.benign.permission", Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANLog.d("MyService", "Service Started");Intent activityIntent = new Intent(this, SensitiveActivity.class);activityIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);activityIntent.putExtra("status_msg", "SUCCESS");this.startActivity(activityIntent);} else {Log.d("MyService", "Failed to start the service");}return super.onStartCommand(intent, flags, startId);
}
其中调用方如下
// MainActivity.java
protected void onResume() {super.onResume();if (checkPermission("santos.benign.permission", android.os.Process.myPid(), android.os.Process.myUid()) == PackageMLog.d("MyService", "permission to service already granted");startService(new Intent(getApplicationContext(), MyService.class));} else {Log.d("MyService", "component does not have permission to call service");ActivityCompat.requestPermissions(this, new String[]{"santos.benign.permission"}, 100);}
}
可以看到,MyService是由MainActivity启动的,也就是他们都属于主线程。而在主线程调用Binder.getCallingPid()和Binder.getCallingUid()不会返回调用方的信息,只会返回自身进程的信息,这样上面代码的权限校验相当于只对自身权限做了检查,正确的做法应该是在manifest中静态声明权限或使用EnforceCallingPermission方法进行校验